Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 18 Aug 2015 12:30:14 -0400 (EDT)
cc: Security Team <>,
Subject: Re: CVE requests for Drupal contributed modules (from
 SA-CONTRIB-2015-100 to SA-CONTRIB-2015-131)

Hash: SHA1

>Camtasia Relay - Cross Site Scripting (XSS) - SA-CONTRIB-2015-100

Use CVE-2015-5487.

>MailChimp - Cross Site Scripting (XSS) - SA-CONTRIB-2015-101

Use CVE-2015-5488.

>Smart Trim - Cross Site Scripting (XSS) - SA-CONTRIB-2015-102

Use CVE-2015-5489.

>Views - Access Bypass - SA-CONTRIB-2015-103

Use CVE-2015-5490.

>Dynamic display block - Access bypass - SA-CONTRIB-2015-104

Use CVE-2015-5491.

>Video Consultation - Cross Site Scripting (XSS) - SA-CONTRIB-2015-105

Use CVE-2015-5492.

>Entityform Block - Access Bypass - SA-CONTRIB-2015-106

Use CVE-2015-5493.

>Webform Matrix Component - Cross Site Scripting (XSS) - SA-CONTRIB-2015-107

Use CVE-2015-5494.

>Mobile sliding menu - Cross Site Scripting (XSS) - SA-CONTRIB-2015-108

Use CVE-2015-5495.

>pass2pdf - Information Disclosure - SA-CONTRIB-2015-109

Use CVE-2015-5496.

>Web Links - Cross Site Scripting (XSS) - SA-CONTRIB-2015-110

Use CVE-2015-5497.

>Shipwire - Cross Site Scripting (XSS) - SA-CONTRIB-2015-111

Use CVE-2015-5498.

>Navigate - Access Bypass - SA-CONTRIB-2015-112

Use CVE-2015-5499.

>Navigate - Cross-site scripting - SA-CONTRIB-2015-112

Use CVE-2015-5500.

>Aegir - Code Execution Prevention - SA-CONTRIB-2015-113

Use CVE-2015-5501.

>Storage API - Access Bypass - SA-CONTRIB-2015-114

Use CVE-2015-5502.

>Chamilo integration - Open Redirect - SA-CONTRIB-2015-115

Use CVE-2015-5503.

>Novalnet Payment Module Ubercart - SQL Injection - SA-CONTRIB-2015-116

>The module fails to sanitize a database query by not using the database
>API properly, thereby leading to a SQL Injection vulnerability.

Use CVE-2015-5504.

>Since the affected path is not protected against CSRF, a malicious user can
>exploit this vulnerability by triggering a request to a specially-crafted URL.

It is not clear to us if this CSRF issue is exploitable.  The attack
seems to be against a Novalnet employee, but it is not known if
Novalnet employees have access to the specific IP in a way that would
make the exploit feasible.

>Novalnet Payment Module Drupal Commerce - SQL Injection - SA-CONTRIB-2015-117

We believe that the Novalnet Payment Module Drupal Commerce module may
share a codebase with the Novalnet Payment Module Ubercart module in

If you can confirm that the vulnerable code in SA-CONTRIB-2015-117 is
different from the code in SA-CONTRIB-2015-116, then we will issue a
separate CVE ID.  Otherwise, use CVE-2015-5504 for this vulnerability.

>HTTP Strict Transport Security - Logical Error - SA-CONTRIB-2015-118

Use CVE-2015-5505.

>Apache Solr Real-Time - Access Bypass - SA-CONTRIB-2015-119

Use CVE-2015-5506.

>Inline Entity Form - Cross Site Scripting (XSS) - SA-CONTRIB-2015-120

Use CVE-2015-5507.

>The eXtensible Catalog (XC) Drupal Toolkit - Cross Site Request
>Forgery (CSRF) - SA-CONTRIB-2015-121

Use CVE-2015-5508.

>Administration Views - Access Bypass - SA-CONTRIB-2015-122

Use CVE-2015-5509.

>jQuery Update - Open Redirect - SA-CONTRIB-2015-123
>LABjs - Open Redirect - SA-CONTRIB-2015-124
>Acquia Cloud Site Factory Connector - Open Redirect - SA-CONTRIB-2015-125

A new CVE might not be necessary.

We believe that SA-CONTRIB-2015-123, SA-CONTRIB-2015-124, and
SA-CONTRIB-2015-125 share the same codebase (Overlay JavaScript file)
as the Overlay module in SA-CORE-2015-002, which has been issued

>Content Construction Kit (CCK) - Open Redirect - SA-CONTRIB-2015-126

Use CVE-2015-5510.

>HybridAuth Social Login - Access bypass - SA-CONTRIB-2015-127

Use CVE-2015-5511.

>me aliases - Access Bypass - SA-CONTRIB-2015-128

Use CVE-2015-5512.

>Shibboleth authentication - Cross Site Scripting (XSS) - SA-CONTRIB-2015-129

Use CVE-2015-5513.

>Migrate - Cross Site Scripting (XSS) - SA-CONTRIB-2015-130

Use CVE-2015-5514.

>Views Bulk Operations - Access Bypass - SA-CONTRIB-2015-131

Use CVE-2015-5515.

- ---

CVE assignment team, MITRE CVE Numbering Authority M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.